This article deals with the AAA-based (Authentication, Authorization, and Access) security architecture implemented in Panda SIEMFeeder as well as the encryption of all communications between the Panda Importer software and all the other components that make up the solution.
AAA security architecture overview
- Initial message exchange
To access the Panda SIEMFeeder service securely, an initial message exchange must take place between the Panda Importer computer and Panda SIEMFeeder. This exchange must take place successfully; otherwise, it won't be possible to access the information published in the Azure topic.
Below is a diagram showing the message flow established the first time that Panda Importer is run (numbered based on Figure 4). This message flow must be established every time the user is removed from the system or is unassigned the Full Control role assigned via Aether.
- Panda Importer sends the credentials (email address and password) assigned to the customer.
- Authentication Phase: the PAS service connects to the Panda IdP service to validate the credentials.
- Authorization Phase: the PAS service connects to the Aether service to check whether the customer has access to the Panda SIEMFeeder service.
Figure 5: steps 1 to 4 in the initial message exchange
- The PAS service generates and delivers an access token and a refresh token to Panda Importer.
- Panda Importer sends the refresh token to the PAC service.
- Access Phase: the PAC service generates a shared access signature (SAS) key.
- Access to the topic: Panda Importer accesses the assigned topic using the SAS key.
- Panda Importer receives the logs from the subscribed topic.
Figure 6: steps 5 to 8 in the initial message exchange
- Security architecture: Components
Figure 4 shows the components responsible for authenticating customers and granting them access to the platform resources required to download the log files that contain the information collected from the organization's IT network.
Figure 4: AAA security architecture overview
- Panda Importer: program provided by Panda Security and designed to collect the log files stored on the Azure platform.
- Azure Topic: a queue-type resource generated on the Azure platform. It stores the log files received from Panda Security with the information collected from the organization's IT network.
- PAS (Panda Authorization Service): service that authenticates and authorizes access to the Azure topic. It receives, from Panda Importer, the credentials assigned to the customer when purchasing the service, and returns to it an access token and a refresh token.
- PAC (Panda Access Control): service that enables Panda Importer to access the Azure topic provisioned to the customer. It receives the refresh token from Panda Importer and returns a shared access signature (SAS) key.
- Panda IdP (Identity Provider): service that authenticates the sent credentials.
- Aether: service that authorizes access to Panda SIEMFeeder.
- Subsequent message exchange
Panda Importer uses the refresh token to obtain the SAS key. Both the token and the SAS key have an expiration date and are short lived for security reasons. As soon as the refresh token expires, Panda Importer will generate the following alternative message flow:
- Panda Importer asks the PAS service for a new refresh token. To do that, it sends the access token that was assigned to it during the above-mentioned initial flow.
- With the new refresh token, Panda Importer asks the PAC service for a new SAS key.
- With the new SAS key, Panda Importer connects to the Azure topic and continues collecting log files.
Figure 7: message flow when the refresh token expires
- AAA communication encryption
All communications for requesting and sending tokens are encrypted with HTTPS protocol SSL SHA256-G3.
- Lifetime of the tokens assigned by Panda SIEMFeeder
- PAS refresh token: 14 days
- PAS access token: 20 minutes
- SAS key: 1 day
Panda Importer uses the refresh token to access the Azure topic. Once the refresh token expires, a new access token will be generated containing the account details entered in the Panda Importer program. In addition to this, a new refresh token will also be generated for Panda Importer to continue accessing the Azure topic.
Even if the account used when configuring the service is no longer available or doesn't have the Full Control role assigned to it, the customer will be able to continue accessing the service provided the refresh token has not expired (maximum lifetime: 14 days). If the refresh token expires, it won't be possible to generate a new refresh token and access will be denied.
- Encrypted communications for downloading log files
All communications established for downloading log files are encrypted with the TLS/SSL and SASL protocols.
What is Panda Importer?